Illinois High Court Makes It Easier to Sue Under the Biometric Information Act
(January 25, 2019) The Illinois Supreme Court has made it easier for consumers to maintain a private cause of action for violating the Illinois Biometric Information Privacy Act (“Act”).
The court said that consumers do not need to show actual financial damages because violation of the Act is a “real and significant” injury in and of itself sufficient to maintain a private cause of action.
“When a private entity fails to adhere to the statutory procedures . . . ‘the right of the individual to maintain [his or] her biometric privacy vanishes into thin air. The precise harm the Illinois legislature sought to prevent is then realized,’” the court wrote in finding that a party need not show actual injury under the statute to sue.
Illinois was the first, and is one of a handful of states, that regulates the collection and retention of biometric identifiers. The Illinois statute, unlike most other states, permits a private cause of action for violations.
The case arose in 2014 when a 14-year-old visited Six Flags Great America amusement park as part of a school trip. The family had purchased a season pass for him to pick up. As part of the process, his thumbprint was scanned and he received the annual pass. In order to enter the park, he had to place his thumb on a scanner. Neither the 14-year-old nor his parents were informed that fingerprinting was necessary to obtain the pass and no written release nor any explanation of how the fingerprints were to be used or stored was provided. The boy and his mother sued the amusement park under the statute. The trial court dismissed with prejudice parts of the case and the plaintiffs filed an interlocutory review regarding whether the biometric statute required actual damages.
In its opinion, the court noted that Six Flags has retained the biometric identifiers, refused to disclose what was done with the information or how long it will be kept, and lacked any written policy available to the public that discloses a “retention schedule or guidelines for retaining and then permanently destroying biometric identifiers and biometric information.”
Six Flags argued that the plaintiffs failed to show that they were “aggrieved parties” and were required to have sustained actual injury or harm other than the statutory violation itself in order to sue. The court disagreed, finding the violation in itself “is sufficient to support the individual’s or customer’s statutory cause of action.”
The court found:
“When private entities face liability for failure to comply with the law’s requirements without requiring affected individuals or customers to show some injury beyond violation of their statutory rights, those entities have the strongest possible incentive to conform to the law and prevent problems before they occur and cannot be undone. Compliance should not be difficult; whatever expenses a business might incur to meet the law’s requirements are likely to be insignificant compared to the substantial and irreversible harm that could result if biometric identifies and information are not properly safeguarded; and the public welfare, security, and safety will be advanced. That is the point of the law. To require individuals to wait until they have sustained some compensable injury beyond violation of their statutory rights before they may seek recourse, as defendants urge, would be completely antithetical to the Act’s preventative and deterrent purposes.”
Stacy Rosenbach v. Six Flags Entertainment Corporation, Illinois Supreme Court No. 123186, issued January 25, 2019.